Why can I not use static ip_

Hobbit7 · Mon Nov 25, 2024 10:15 pm

Hello! Newcomer to the mikrotik world. I have a lot to learn and I'm doing my first steps with a hAP ax³, although I'm reading the forum for the last 4 months.
I have a few issues, that I'm not capable to solve for now and looking for any recommendations from your side. I have made several tests starting with and without default configuration.
For now, I'll post my current configuration which is basic of course, until I solve the main problem which is why I cannot set a static public ip. My provider is giving a static IP and the connection is through fiber. If I follow any guide that I've seen to set a static IP, then I have no connection to the internet. If I change to Automatic and use a DHCP Client, then it gets the static IP and works fine.
Here we are and and any recommendations are welcome. I can provide any more info if needed.

# 2024-10-22 19:04:28 by RouterOS 7.16.1
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=LOCAL \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="ether1 [INTERNET]"
set [ find default-name=ether2 ] name="ether2 [SERVER]"
set [ find default-name=ether3 ] name="ether3 [SALLOON]"
set [ find default-name=ether4 ] name="ether4 [PC]"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.32.10-192.168.32.254
/ip dhcp-server
add address-pool=dhcp interface=LOCAL lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=LOCAL comment=defconf interface="ether2 [SERVER]" \
    internal-path-cost=10 path-cost=10
add bridge=LOCAL comment=defconf interface="ether3 [SALLOON]" \
    internal-path-cost=10 path-cost=10
add bridge=LOCAL comment=defconf interface="ether4 [PC]" internal-path-cost=\
    10 path-cost=10
add bridge=LOCAL comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=LOCAL comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=LOCAL comment=defconf interface=wifi2 internal-path-cost=10 \
    path-cost=10
add bridge=LOCAL interface=wifi3 internal-path-cost=10 path-cost=10
add bridge=LOCAL interface=wifi4 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add comment=defconf interface=LOCAL list=LAN
add comment=defconf interface="ether1 [INTERNET]" list=WAN
/ip address
add address=192.168.32.7/24 comment=defconf interface=LOCAL network=\
    192.168.32.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface="ether1 [INTERNET]" use-peer-dns=no
/ip dhcp-server lease
add address=192.168.32.12 client-id=1:XX:XX:XX:XX:XX:f7 mac-address=\
    XX:XX:XX:XX:XX:F7 server=defconf
add address=192.168.32.14 client-id=1:XX:XX:XXXX:XX:e9 mac-address=\
    XX:XX:XX:XX:XX:E9 server=defconf
/ip dhcp-server network
add address=192.168.32.0/24 comment=defconf dns-server=192.168.32.7 gateway=\
    192.168.32.7 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.32.7 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.32.10-192.168.32.254 list=LOCAL
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=INTERNET \
    new-connection-mark=HairPin_NAT passthrough=yes src-address-list=LOCAL
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51210 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.32.12 to-ports=51210
add action=dst-nat chain=dstnat dst-port=52181 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.32.12 to-ports=52181
add action=dst-nat chain=dstnat dst-port=51834 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.32.12 to-ports=51834
add action=dst-nat chain=dstnat dst-port=61403 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.32.12 to-ports=61403
add action=dst-nat chain=dstnat dst-port=63099 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.32.12 to-ports=63099
add action=dst-nat chain=dstnat dst-port=63099 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.32.12 to-ports=63099
add action=dst-nat chain=dstnat dst-port=2222 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.32.14 to-ports=2222
add action=dst-nat chain=dstnat dst-port=50081 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.32.12 to-ports=50081
/ip firewall service-port
set ftp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp address=192.168.32.0/24 disabled=yes
set www disabled=yes
set ssh address=192.168.32.0/24 port=2222
set api disabled=yes
set winbox address=192.168.32.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=LOCAL type=internal
add interface="ether1 [INTERNET]" type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

3dfx · Mon Nov 25, 2024 11:31 pm

Starting from the default configuration, there are a few things to do in order to set your static IP:

1. Disable the DHCP client on ether1
2. Add the IP configuration under IP -> Address to port ether1
3. Add a static route to 0.0.0.0/0 through the gateway, provided by the ISP (IP-> Routes)
4. Add static DNS server under IP -> DNS

The rest of the configuration (interface lists, masquerade, bridge configuration, etc) is already included in the default script.

Hobbit7 · Tue Nov 26, 2024 6:51 am

Thank you for the help. Unfortunately, I have done these steps in another configuration without success. I'll do it and then post back.

jvanhambelgium · Tue Nov 26, 2024 8:42 am

Perhaps your interpretation is just wrong

Don't overthink it....
A ISP provider providing you a "static" non-changing public IP *does not* mean you mandatory have to configure an actual STATIC IP on your interfaces !
This non-changing public IP is/can-be delivered through DHCP-mechanism perhaps.

Can you confirm your ISP instructed you to move away from the DHCP-mechanism and put something static on your end device ?

Hobbit7 · Tue Nov 26, 2024 7:56 pm

@3dfx: I followed your advice, but it still doesn't work. I had already done this procedure though.

@jvanhambelgium: Hmm, I didn't think of it like this just to be fair. The ISP didn't instruct me to do anything, as I had always in my mind that static IP doesn't need any DHCP client to be enabled.
It seems that I was wrong then.

Could you check my port forwarding rules please? Although I follow the same way of opening ports for applications that I use, I still have problem with a few and I don't really understand why. Moreover, I have never been able to open any with UDP protocol. Does it need anything else?

For example I have installed the thinlinc to my debian server and no matter what I'm doing I cannot connect to it through ssh port 2222 (I have changed the default) both locally and public. A friend of mine can login without any issue with public IP, so the configuration of the server should be fine and something is wrong from my side.

Amm0 · Tue Nov 26, 2024 8:30 pm

@jvanhambelgium: Hmm, I didn't think of it like this just to be fair. The ISP didn't instruct me to do anything, as I had always in my mind that static IP doesn't need any DHCP client to be enabled.
It seems that I was wrong then.

You're missing a default route in /ip/route for the gateway. To use a static IP, you assign it via /ip/address on the interface to WAN & add a "/ip/route gateway=<WAN GW IP>" (or via winbox, under IP > Routes)

Amm0 · Tue Nov 26, 2024 8:34 pm

Could you check my port forwarding rules please? Although I follow the same way of opening ports for applications that I use, I still have problem with a few and I don't really understand why. Moreover, I have never been able to open any with UDP protocol. Does it need anything else?

You shouldn't need port forwarding from LAN to server, since it just use bridge+ARP. Now... if you're using Wi-Fi on wifi3 or wifi4 interface, then local access would be blocked by bridge filter rules:

/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4

jvanhambelgium · Tue Nov 26, 2024 8:51 pm

Still confused but the very first post states ;

If I change to Automatic and use a DHCP Client, then it gets the static IP and works fine.

So at this point, you've enabled "DHCP Client" on the Mikrotik, you get an IP (public) and Internet works ??
Through DHCP you normally (can) get DNS,Default Route etc assigned -> so you should not be adding any static routes to get your basic access working.

Give your ISP a quick call to ask them if that's it, and they might configure the (public) IP you have now will always be yours...

So your DHCP-client windows looks something like this ?

Screenshot from 2024-11-26 19-53-55.png

anav · Tue Nov 26, 2024 9:01 pm

Did the ISP provided you with a static WANIP with its associated gateway?

If so then simply add this as an address entry ( and disable the ip dhcp client entry )
/ip address
add address=ISP_provided_IP/24 gateway=ISP_provided_gateway-IP network=ISP_provided_network ( typically if IP is 192.168.55.1/24, network is 192.168.55.0 )

If they state as noted above its delivered as static by DCHP then your config is setup for that and as also noted you need to setup a manual route.
/ip route
add dst-address=0.0.0.0/0 gateway=ISP_provided_gateway routing-table=main.

NOTE: take the ISP provided gateway off of the IP DHCP Client settings under STATUS tab

As shown in the pic above if you select default route=yes, then you do not need to configure a route but I personally like doing it the manual way as it helps one learn how the router works....

Hobbit7 · Tue Nov 26, 2024 10:54 pm

First of all, I'd like to thank you all for your great support! I'm learning more and more from your posts.

Just to clarify something. I have not talked with my provider. I changed to a new one about a month ago and the router took by default an IP (at Automatic address acquisition). After that, I noticed that this IP is static (as it usually is at my country) and doesn't change whatever I do. So I thought that the correct setup would be to change from Automatic -> Static, but never managed to make it work. And here we are now trying to figure out what is happening.
I have the IP+gateway from the ISP, but even if I use them and configure the route list as you mentioned above it doesn't work. I add a route 0.0.0.0/0 with the correct gateway and I see one more route with XX.XX.XX.0/24 and gateway ether1. This was done from the default configuration.

The DHCP Client is like the pic you provided, but I have disabled Use Peer DNS, as I'm using cloudflare's 1.1.1.1

EDIT: It worked!!! I have no idea how, but it seems that it worked after rebooting the device with the same settings. I'm so sorry for the mess.

Let's figure now what is going wrong with port forwarding.

Hobbit7 · Wed Nov 27, 2024 7:03 pm

After coming back home, I noticed that there was no internet. It seems that it didn't last for long.
I have the feeling that it managed to connect because I used the IP from DHCP Client-> ether1 (Internet) -> Status -> DHCP Server. There is a strange IP there which has nothing to do with the "static" that I get or gateway/DNS.
When I used it as gateway at Route, it didn't work. After that I changed to the one that I was using for long time now.. did a restart and worked. I thought that it was the restart that helped, but it seems not.
Anyway, I still use the Automatic address acquisition which works fine without any issues.

Amm0 · Wed Nov 27, 2024 10:21 pm

Anyway, I still use the Automatic address acquisition which works fine without any issues.

Just to be clear, you shouldn't need /ip/route or /ip/address if you using DHCP client. I was trying to explain how to set them IF you were NOT using DHCP client. But if a WAN has DHCP, in most cases that better than manually configuring anything since if the ISP changes something, you'd still pick up a new address/route.

Hobbit7 · Wed Nov 27, 2024 10:54 pm

I understand, but if I disable any of these, then I have no internet. I'll follow the advice that most of you stated above and I'll call my provider for clarification.

rplant · Thu Nov 28, 2024 1:26 am

Hi,

My guess is that you need to run dhcp, so the ISP gets the MAC address of your router, so it can send packets to it.
It may not use arp discovery, the dhcp mac address possibly gets recorded into the radius server, and that is where the routers packets get sent too.
(I believe Mikrotik's do this quite well)

Why can I not use static ip_

Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_

Re: Why can I not use static ip_